"Things we've heard"?

Every single time I have ever been asked by a medical office to sign that I have been given a copy of their privacy policy, I have never been given that policy. Every single time I have pointed this out. Every time except one I have been made to understand that I am being unreasonably difficult.

From my experiences, I wouldn't say this is a rumor and something to be heard of. It is the standard practice everywhere I have ever sought medical attention.

Sorry, I should be more clear. When I say “things we have heard,” I mean “things someone said to us to our faces, which we heard with our own ears.”

Wow. Curious where you live. I have ALWAYS been provided all the documentation, in hard copy, with copy of receipt available if I desire it.

It's happened to me pretty often in California.

> “We will have you sign the consent form after the procedure when it’s more convenient for you”

Isn't the consent form for their CYA? I wonder what happens if someone refuses to sign it later.

Or dies during the procedure

So what's the punishment for what the parent comment described?

Each violation of HIPAA can carry a fine between $100 and $50,000 per violation. The hard part is that many people don't know what their privacy rights are, or to whom they go when their rights are violated (in this case, the Office of Civil Rights of the Department of Health and Human Services).

And that OCR is also a load of shit.

I had an office emailing me their appointment data for a patient; I don't know if we had a similar email or something. I responded the first two times I received it that it was being sent in error, and to please stop, for the sake of everyone concerned.

On occasions 3 and 4 I attempted to contact the practice. Both times I was sent to the manager's voicemail, where I left messages that were never returned.

After a half-dozen of these occasions, I contacted OCR on behalf of the patient (you can file an OCR complaint on someone else's behalf), specifically referencing the fact that although the privacy violation is not significant, their repeated violation with no effort to stop is. I enclosed screen shots of the repeated emails I had sent the practice, and the repeated privacy-violating emails I'd gotten from them.

OCR said they'd get in contact with the practice and help them implement a technical solution to stop contacting me, and could I please give them my email address to blacklist, and asked if that solution was satisfactory.

I said, no, no that's not fucking satisfactory. They could have fixed the email issue a year ago; it doesn't require technical assistance from the government. While I appreciate trying to assist small practices in remedying technical defects rather than just being punitive, this was exactly the time to be punitive - when the technical defect is simple and easy to remedy ("we have the wrong contact info; update it"), and there was plenty of opportunity to remedy and they willfully continued to engage in the activity. And blacklisting my email address does absolutely nothing to protect the next patient's privacy.

A few weeks later I got a letter in the mail that basically restated what had been in the email, and that no further action would be taken.

(Before anyone says "but you got no more information than you would have had if you'd been sitting in the waiting room when the guy came for his appointment":

HIPAA has an exception that basically says "reveal the minimum you need to run a functional clinic, but yeah, obviously you need to run a functional clinic." So things like "patients in the waiting room" is exempt from HIPAA because, well, you won't be able to keep an office open if you can't keep a waiting room full. That same information emailed out to a random stranger - that is, absolutely not needed to be shared with me to provide routine care - does not share that exemption.)

Look up how often HIPAA investigations turn into monetary fines. It’s comically small and essentially only affects big hospitals, universities, and insurance companies.

The agency likes to report “enforcement actions” which include fines but 99% of the time are some kind of promise to do better in the future.

HIPAA violations are one of those things the public thinks are super serious but in reality are all but a total joke.

And don’t get me started on HIPAA compliance consultants lol. Reminds me of Lisa Simpson selling Homer her magic rock that keeps away tigers.

The IRB would not be the correct office for a HIPAA violation, unless it was an informed consent form for a research study.

Most hospitals have a compliance office where this type of issue would be handled.

Yeah, the IRB isn't even within spitting distance of a HIPAA issue. They're entirely different things, handled by different regulatory agencies, and administered in different parts of a hospital (if a hospital even has an IRB, as most don't, since most aren't research institutions), overseeing different activities.

If someone called my hospital's IRB to "school them" on a HIPAA violation, I can't even imagine what their response would be. I mean, I'm sure it would be polite, but it's not like they'd start hand-holding the lady on how to file complaints - they wouldn't know, themselves. It's only one step up from calling the cafeteria services people.

Sorry, should have been more clear. The case where she called the IRB was where the office completely messed up the consent process -- told her to disregard the first page of the consent, which was included in the package and included items that were directly relevant, and also didn't include materials referenced in the consent. Note, this was in a research/teaching hospital, where the consent notice includes consent for students to participate in the procedure, so that's why she called the IRB -- and they were very interested to hear what she had to say ...

Hospitals take compliance issues very seriously; the incentives are skewed highly in one direction.

Consider it an extension of "HR is there to protect the company, not you." Compliance is there to protect the hospital, not the individual employee that may have erred.

As long as they make a good faith effort to act on the complaint, they themselves are protected from liability. Whereas if they don't act, they open themselves up to enormous liability, on behalf of a replaceable peon - I mean, on behalf of a highly respected staff member.

This makes me think that one should have to sign every page, because what's to stop pages being substituted after the fact? If you only sign the last page, there's no way to prove that the rest of the document is what you agreed to.